OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Why multiple layers of security are important

Published October 3rd, 2013 at 11:20 AM EDT , modified October 3rd, 2013 at 11:20 AM EDT

Most of the time, Mac OS X protects you quite well from every current malware threat. I generally don’t advise most people to run any additional anti-virus software for that reason, among others. However, that’s not one-size-fits-all advice. Sometimes, it’s important to add another layer to your security. Today, it just so happens, a perfect example of why that can be important deserves some attention.

Exactly one week ago, I wrote about a new trojan being used for targeted attacks, named Icefog. This malware, discovered by Kaspersky, is a simple trojan, disguising itself as a legit app in order to trick the user into opening it. On the same day that I wrote that article, I also located a copy of Icefog (so that I could accurately describe it), and provided a copy of that malware to Apple’s product security team.

Submitting malware to Apple is something I’ve done a number of times before, and usually the results are a fairly swift update to the XProtect definitions. (For those who don’t know, XProtect is an anti-malware system added in Mac OS X 10.6, aka Snow Leopard. For more information, see How does Mac OS X protect me?) This ensures that all users of Snow Leopard and later will be protected against opening such trojans, assuming they haven’t disabled any of the security systems XProtect relies on.

Unfortunately, in this case, a full week has elapsed since I submitted the malware to Apple without any updates to XProtect. The last update occurred on September 19, a week before Kaspersky’s Icefog announcement. Just to be sure that Apple and Kaspersky hadn’t been in contact before the announcement, I checked out all the XProtect definitions, and there’s definitely not one in there for Icefog. (One person suggested to me that perhaps the malware was referred to by XProtect using a name other than Icefog… but I can account for every single entry in the XProtect database, and not one of them is Icefog.)

This is bad. Although users of Mountain Lion who haven’t disabled Gatekeeper are safe, people using Snow Leopard or Lion are still vulnerable. In contrast, by the 27th, the day after Icefog was described by Kaspersky, most Mac anti-virus programs were detecting Icefog; many actually added definitions on the 26th.

This is an excellent example of why multiple layers can be so important. The holes in one layer of defense – in this case, XProtect – can be covered by another layer. There are no guarantees, of course. There have certainly been cases where malware has gotten past all layers, for a short period of time. Still, in certain situations – such as when you’re using an older system without Gatekeeper, or when you have disabled Gatekeeper, or if you simply can’t trust the judgement of the person using the computer – adding anti-virus software can be beneficial.

8 Comments

  • Al says:

    > people using Snow Leopard or Lion are still vulnerable

    I thought GateKeeper was included in OS X 10.7.5, at least that’s what Apple says: http://support.apple.com/kb/HT5290.

    • Thomas says:

      If so, they added it retroactively, after I had already upgraded to Mountain Lion, which isn’t out of the question. I didn’t have Gatekeeper until I upgraded to Mountain Lion. That was a while ago, though.

    • Jay says:

      With a majority of 10.7 users not being up to date (I see Lion users every day that still run 10.7 or 10.7.3 for example), I think the statement “people using Snow Leopard or Lion are still vulnerable.” is an accurate one. In a perfect world everyone would install updates but in the real world this is rarely the case.

      • Al says:

        I haven’t seen any statistics to refute your observations so I’ll take your word for it, but one of the reasons I posted was to convince users who read this of the importance of keeping their OS fully up-to-date. Probably nine out of ten of my postings to the Apple Support Forum emphasize exactly that.

      • Sid Cannon says:

        This is something I just don’t understand with some OSX users. I’ve been using Windows for nearly 20 years and have seen many a PC have major problems with Windows updates. In some cases a re-install of the OS was necessary.

        I’ve been using OSX for about 2 to 3 years, and the update process has been faultless as far as I can see, from Snow Leopard through to and including Mountain Lion.

        So why any OSX user hasn’t got their OS up to date is beyond me.

        • Maxim says:

          Because some users are scare of braking something. They ask themselves, why should I update it if its working fine 🙂 But also one of the reason, because of the price. Like some people just lazy to spend 20$ on new OS. For example – in a first week more then 50% iphone update on latest iOS 7. Because its free, easy to do, and chance to get a bug are low.
          I am not planning to updating mine OS X from 10.8.5 to mavericks until its reach 10.9.2 🙂

  • Ted says:

    It is because many Mac user just keep plugging along and could careless what OS they are on. It just keeps working, and if they did have any OS X based malware that is keep silent by design and they don’t have AV to tell them. So 2 years becomes 4 years and they just pain and simple could careless as long as they get their email and they can get to google to surf.

This post is more than 90 days old and has been locked. No further comments are allowed.